http://story.news.yahoo.com/news?tmp...pcworld/114340
PayPal Scam Spreads Mimail Worm
Thu Jan 15, 1:00 PM ET Add Technology - PC World to My Yahoo!
Paul Roberts, IDG News Service
After releasing a new version of the Mimail e-mail worm last week, virus authors are using a new tool to help it spread: spam e-mail containing a Trojan horse program that, once installed, retrieves and installs the worm.
• Viruses, Worms Will Worsen in 2004
• Sobig Wins the War of the Worms
• Sysbug-A Virus On the Prowl
• Viral Scourge 101
• Microsoft, Antivirus Vendors Team
Missed Tech Tuesday?
Paranoid much? Get smart about different kinds of attacks, plus keeping yourself safe and nine famous hacks.
The new threat, which targets customers of EBay's PayPal online payment service, highlights a growing trend in which online criminals combine computer viruses, spam distribution techniques, Trojan horse programs, and "phishing" scams to circumvent security technology and fool Internet users, says Carole Theriault, security consultant at Sophos in Abingdon, England.
Antivirus companies including Sophos and Kaspersky Labs warned customers Thursday about the new threat, which arrives in e-mail in-boxes as a message purporting to come from online payment service PayPal.
Get the Message
The message subject line is "PAYPAL.COM NEW YEAR OFFER" and it reads, in part: "for a limited time only PayPal is offering to add 10 percent of the total balance in your PayPal account to your account and all you have to do is register yourself within the next five business days with our application (see attachment)!"
For their computers to be infected, users who open the compressed Zip file attached to the e-mail must then open a second file, which installs a Trojan horse program. That program connects to a Web site in Russia and retrieves the latest version of the Mimail worm, Mimail-N, Theriault says.
Once installed, Mimail-N alters the configuration of Microsoft Windows so that the worm is launched whenever Windows starts, harvests e-mail addresses from the computer's hard drive, and mails copies of itself out to those addresses. It also creates phony PayPal Web pages used to prompt the user to enter credit card numbers and other personal information, according to an alert issued by Kaspersky Labs.
Information that is harvested is sent to the same Russian Internet site from which the Mimail worm was retrieved, Theriault says.
New Strategy
The strategy of using a Trojan program to retrieve the new virus is unorthodox, and may be intended to circumvent antivirus products that have already been updated to spot the new versions of Mimail, she says.
Trojan horse programs cannot spread on their own, like e-mail or Internet worms, but they do provide a new way to infiltrate a computer on a network that is using antivirus protection at the e-mail gateway. If the antivirus product has not been updated to detect the new Trojan program, e-mail messages containing it can slip by those defenses and be opened by users, she says.
The biggest impact of the new worm will be on home Internet users who have not installed desktop antivirus or firewall products, she says.
Even if users end up falling for the ruse, organizations that use firewalls and desktop antivirus products should be able to spot the Trojan program once it is installed on the desktop or prevent it from connecting to the outside server and retrieving a copy of the Mimail worm, she says.
Linear Mode
